Procmgr abilities

The QNX Neutrino RTOS supports procmgr abilities, process-manager settings that govern which operations a particular process is permitted to do.

A privileged process can obtain these abilities before dropping
root privileges, which lets it retain some
functionality that historically would have been restricted to
root.
Furthermore, procmgr abilities can be locked, meaning that even
root users can't carry out certain actions that they
might historically have been able to.
This change significantly reduces the attack surface of the system, even when
dealing with a root process.

We recommend that you use the procmgr ability model wherever possible,
retaining specific abilities, and dropping and locking whatever isn't explicitly required.
Once you've used the retained abilities, you should drop and lock them if they're no longer necessary.
A number of simple examples of ability retention and locking are included in
the following sections.

You can adjust procmgr abilities by calling
procmgr_ability().
This function is typically used by services that start as
root and need to retain certain capabilities before
dropping privileges.

The procmgr_ability() function takes as its
first argument a process ID, or 0 to indicate the calling process.
It's followed by a variable number of arguments, each of which
consists of a set of flags that indicate:

an ability

the domain (root or non-root)

whether or not the ability should be allowed, denied, inheritable, and so on

whether or not additional arguments are required
(e.g., the PROCMGR_AOP_SUBRANGE flag calls for
a range to be associated with the ability)

The list of abilities must be terminated by an argument that includes the
PROCMGR_AID_EOL flag.